Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Functional Rule-chain?

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 15 Jun 2010 11:42:45 -0400
Parker,

I'm sure VRT will look into this, however, just an FYI.  If you use PulledPork to update rules, PulledPork will 
autoresolve all the flowbit dependancies for you.

J

On Jun 15, 2010, at 9:36 AM, Crook, Parker wrote:


Howdy all,
 
I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day.  I noticed 
rule 1:3819 spending a fair amount of time on a decent number of checks with no matches.  So I opened up rule 3819 
and noticed it is just a “flowbits:set, chm_content_type; flowbits:noalert” rule for use by rule 3820.  So I took a 
look at 3820 and it is disabled by default.
 
So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?


--
Joel Esler



------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: